I've got 2 Checkpoint FW instances in Azure sending events back to Qradar using the standard syslog setup in Checkpoint. The only 2 fields that are recognized are the time/date and the log source ip address. Anything between the square brackets seems to be ignored.

My initial thought was to select several events and use the DSM editor to create overrides to existing fields for the check point DSM. This however did not work out. The overrides or parsing enhancement didn't produce the desired change - that of having the Source or Destination IPs in the correct fields.

Is this possible and am I using the DSM editor correctly? Is this a basic problem with everyone's syslog - that being that everyone claims to produce syslog and claims to consume it but everyone formats the output differently such that one needs to create custom dsm's to just to work with the data?

1 reply

This is something new that we haven't seen before, but just looking at the example it appears that Azure is likely taking the Check Point event payload, adding a syslog header and putting the entire payload in [ ]. The square brackets are definitely messing with the parsing and we I got a dev to run this example through a unit test briefly and when you take out the [ ], them most fields parsed ok. It looks like the default DSM still picked up UUid as the event ID, but having the original payloads and not pulled the example from the forums would help.

I would export these events and open a ticket on this issue as we'd like to understand if this is something new that Check Point is doing or if Azure is adding in the [ ].

I will note that I'm not sure what you are trying to do with the regex for destination, but if you used something like this, it will likely parse better.

dst=\"(.*?)\"

As mentioned above, I would get an export of these events so we can take a look at this new implementation of Check Point in Azure. Feel free to reference this forum post in your ticket, if the support representative has questions, they can ask me.